← All articles

Chained UniFi OS flaws give unauthenticated root on Ubiquiti gateways

Researchers at Bishop Fox have shown that three maximum-severity flaws Ubiquiti patched in May can be chained into a single attack that hands an unauthenticated attacker root access to UniFi OS Server with one crafted web request. Two flaws (CVE-2026-34908 and CVE-2026-34909) bypass the login gateway by abusing how the server reads encoded web addresses; the third (CVE-2026-34910) injects commands into the package-update feature, which runs with passwordless sudo, making escalation to root trivial. The flaws hit version 5.0.6 and earlier across widely used gear like UDM, UCG, and UNVR appliances. Bishop Fox released a free script to check for exposure.

Check
Inventory UniFi OS Server and gateway appliances (UDM, UCG, UNVR) for version 5.0.6 or earlier, and run Bishop Fox's detection script against the management interface to confirm exposure.
Affected
UniFi OS Server 5.0.6 and earlier on UDM, UDM-Pro, UCG, UNVR, and related Ubiquiti appliances; the chain (CVE-2026-34908/34909/34910, all CVSS 10.0) yields unauthenticated root.
Fix
Update to UniFi OS Server 5.0.8 (unifi-core 5.0.153) or later. Because patching does not undo prior compromise, rotate credentials and run incident response where exposure is suspected.